Authentication (AuthN) and authorization (AuthZ) binding for secure network access

What is claimed is: 1 . A method for sharing a common authentication and authorization token across multiple proxy session flows from a device, the method comprising: receiving, from the device within a network, a request for a first application to access a service associated with a proxy service via a first secure session flow, wherein the proxy service comprises a multiplexed application substrate over quick user datagram protocol internet connection (QUIC) encryption (MASQUE) proxy service; sending, to the device, a first authentication request; receiving, from the device, a message including a token, the token being signed using a unique identifier associated with the device, the unique identifier being shared across disparate applications on the device and assigned to the device by the proxy service at a time the device registers with the proxy service; authenticating, by the proxy service, the token using the unique identifier associated with the device, wherein authentication of the token causes the proxy service to bind the first secure session flow with subsequent independent secure session flows from the disparate applications on the device; enabling, by the proxy service, the device to access the service via the first secure session flow; receiving, from the device, a second request for a second application to access a second service via a second secure session flow, the second application comprising a non-browser application and the second secure session flow being independent of the first secure session flow; and based at least in part on receiving a second token signed using the unique identifier, authenticating, by the proxy service, the second token, wherein authenticating the second token causes the proxy service to bind the first secure session flow of the first application with the second secure session flow of the second application, wherein authenticating the second token further comprises: sending, to the device, a second authentication request; receiving, from the device, the second token signed using the unique identifier; and based on authenticating the second token, injecting, by the proxy service, a cookie into the second secure session flow of the second application, wherein the cookie prevents the second application from receiving an interactive authentication request that requests user input for authentication. 2 . The method of claim 1 , wherein the first authentication request comprises the interactive authentication request that requests the user input for authentication and the second authentication request comprises a passive authentication request that requests proof of possession of the unique identifier. 3 . The method of claim 1 , wherein the first secure session flow and the second secure session flow are included in a single logical session associated with the device, the single logical session being associated with the unique identifier. 4 . The method of claim 1 , wherein the unique identifier comprises a public key and a private key pair, and wherein the public key is sent to the device. 5 . The method of claim 4 , wherein the token is signed using the public key. 6 . The method of claim 1 , wherein the MASQUE proxy service is executing on a first proxy node of one or more nodes, the first proxy node being deployed in an enterprise network associated with at least one of a domain name system (DNS) server or an application node. 7 . The method of claim 1 , wherein prior to receiving the request to access the service, the method further comprises: receiving by the proxy service, a request to register the device within the network; assigning, by the proxy service, the unique identifier to the device; storing, by the proxy service, the unique identifier in a database associated with the proxy service; and sending, to the device, the unique identifier for use when generating the token. 8 . The method of claim 1 , wherein the first secure session flow and the second secure session flow are associated with a location, further comprising: determining, by the proxy service and based on detecting a change in the location of the device, that one or more of the first secure session flow or the second secure session flow has ended; receiving, from the device, a third request for one of the first application, the second application, or a third application, to access a service associated with the proxy service via a third secure session flow; and sending, to the device and based on the change in the location, a third authentication request comprising an interactive authentication request. 9 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, from a device within a network, a request for a first application to access a service associated with a proxy service or a virtual private network (VPN) via a first secure session flow, wherein the proxy service comprises a multiplexed application substrate over quick user datagram protocol internet connection (QUIC) encryption (MASQUE) proxy service; sending, to the device and based on determining the device is unauthenticated, a first authentication request that requests user input including credentials or a unique identifier assigned to the device for authentication of the device; receiving, from the device, a message including a token, the token being signed using the unique identifier, the unique identifier being shared across disparate applications on the device for use in generating the token; authenticating, by the proxy service or the VPN, the token using the unique identifier associated with the device, wherein authentication of the token causes the proxy service or the VPN to cryptographically associate the token with subsequent independent secure session flows from the disparate applications on the device, wherein at least one authentication request for a subsequent independent secure session flow is received from a non-browser application; enabling, by the proxy service or the VPN, the device to access the service via the first secure session flow; receiving, from the device, a second request for a second application to access a second service, the second application comprising the non-browser application; sending, to the device, a second authentication request; receiving, from the device, a second token signed using the unique identifier; authenticating, by the proxy service or the VPN, the second token; and injecting, by the proxy service or the VPN, a cookie into a second secure session flow of the second application, wherein the cookie prevents the second application from receiving an interactive authentication request that requests the user input for authentication. 10 . The system of claim 9 , wherein the first authentication request comprises the interactive authentication request and the second authentication request comprises a passive authentication request that requests proof of possession of the unique identifier. 11 . The system of claim 9 , wherein the first secure session flow and the second secure session flow are included in a single logical session associated with the device, the single logical session being associated with the unique identifier. 12 . The system of claim 9 , wherein the unique identifier comprises a public key and a private key pair, and wherein the public key is sent to the device. 13 . The system of claim 12 , wherein the token is signed using the public key.